Using IOS 15.0 code, user is able to successfully use auth-proxy with TACACS+ and ACS 4.x. However as soon as the user upgrade his IOS to 15.1 and beyond, auth-proxy fails.
Conditions / Environment
NAS device running IOS 15.1+
auth-proxy using TACACS+
Cause / Problem Description
If you look at the 15.1 or 15.2 tacacs debugs you'll see the following:
265410: Jan 26 14:13:55 EST: TPLUS: processing authorization request id 59 265411: Jan 26 14:13:55 EST: TPLUS: Sending AV service=auth-proxy 265412: Jan 26 14:13:55 EST: TPLUS: Sending AV protocol=ip
However if you look at how the service is configured in the TACACS+ section of the interface configuration on the ACS you'll see that the protocol isn't specified:
It looks like the older 15.0 code didn't enforce the protocol for auth-proxy as strictly, whereas 15.1 and above does and thus the users faile auth-proxy.
The fix for this is actually quite simple. You can just add ip under the protocol tab in the above section as shown below:
However the twist is that ACS doesn't just update the existing service, instead it creates a brand new service called "auth-proxy ip"(the older one was called just "auth-proxy"). So it fix this you need to go into each group which used to have "auth-proxy" enabled and enable "auth-proxy ip" for all of them, and copy over all the customer attributes so that it works exactly the same as before:
It's important to keep in mind, however, that until all NAS devices have been upgraded to 15.1+ code, it would be unwise to remove the old service.
I am using Nexus 7710 switches on multiple networks and have updated the firmware on a some of the hardware already. The system file is n7700-s2-dk18.104.22.168.D1.1.bin & n7700-s2-kickstart.7.3.4.D1.1.bin is the kickstart file. I was recently informed the ...
Hi ,I am trying to do a wireless posture system scan via Anyconnect everything is configured as per the document, I got the redirect page and it downloads and installs the Anyconnect software but after installation, it doesn't start the system scan.In the...
I've found a couple articles online talking about removing a Cisco folder from c:\temp\and from %localappdata%\temp\The folder does not exist in either location.Creating a folder there doesn't help either. The error suggests contacting the system adm...
Our company will be installing two new Firepower 2120's to replace our 5512-x's. We have AnyConnect 4.x and will be converting to the new Smart Licensing. During this process, we would like to test the AnyConnect on the new Firewalls before ta...
From packet capture on ISE, I can see meraki switch sends in the radius packet access-request the machine name host/<machine-name>as User-Name attribute and calling-station-id matches the endpoint mac address but in ISE I see 2 logs:1st log says:Eve...